Untitled
stylingpanda
plain_text
2 years ago
8.9 kB
6
Indexable
resource "aws_iam_role" "gitlab_dedicated_bamboo_agent" {
name = "gitlab-dedicated-bamboo-agent"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "ec2.amazonaws.com"
}
}]
})
inline_policy {
name = "CopyOfBambooDeployRolePolicy"
policy = jsonencode({
Version = "2012-10-17"
Statement: [
{
Action: [
"s3:Get*",
"s3:List*",
"s3:PutObject*"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "DeployS3Access"
},
{
Action: [
"s3:ListAllMyBuckets",
"s3:CreateBucket"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "DeployS3BucketAccess"
},
{
Action: [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "PackerSecurityGroupAccess"
},
{
Action: [
"ec2:CreateImage",
"ec2:RegisterImage",
"ec2:DeregisterImage",
"ec2:DescribeImages"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "PackerAMIAccess"
},
{
Action: [
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "PackerSnapshotAccess"
},
{
Action: [
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:TerminateInstances",
"ec2:DescribeInstances",
"ec2:CreateTags"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "PackerInstanceAccess"
},
{
Action: [
"ec2:CreateKeyPair",
"ec2:DeleteKeyPair",
"ec2:DescribeKeyPairs"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "PackerKeyPairAccess"
},
{
Action: [
"s3:Get*",
"s3:List*",
"s3:PutObject*",
"s3:DeleteObject*"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "PackerS3Access"
},
{
Action: [
"s3:ListAllMyBuckets",
"s3:CreateBucket"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "PackerS3BucketAccess"
},
{
Action: [
"ec2:*"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "EC2FullAccess"
},
{
Action: [
"ecr:*"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "EcrPermissions"
},
{
Action: [
"cloudformation:*"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "CloudformationPermissions"
},
{
Action: [
"backup:*",
"backup-storage:MountCapsule",
"kms:CreateGrant",
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:RetireGrant",
"kms:DescribeKey"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "BackupVaultPermissons"
},
{
Action: [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:PutMetricFilter"
],
Effect: "Allow",
Resource: [
"arn:aws:logs:*:*:*"
],
Sid: "AwsLogs"
},
{
Action: [
"iam:CreateRole",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:PutRolePolicy",
"iam:DeleteRole",
"iam:PassRole",
"ecs:*",
"eks:*",
"elasticloadbalancing:*",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:PutRetentionPolicy",
"autoscaling:*",
"route53:*",
"elasticache:*",
"apigateway:*",
"cloudfront:*",
"sns:*",
"sqs:*",
"rds:*",
"cloudwatch:*",
"elasticfilesystem:*",
"application-autoscaling:*",
"dynamodb:*",
"kms:Decrypt",
"ssm:*",
"lambda:*",
"kafka:*",
"acm:*",
"events:*",
"license-manager:*"
],
Effect: "Allow",
Resource: "*",
Sid: "BambooExtraPermissions"
},
{
Action: [
"iam:CreateServiceLinkedRole"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"eks.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com"
]
}
},
Effect: "Allow",
Resource: "*",
Sid: "eksCreateServiceRoles"
},
{
Action: [
"ssm:GetParameter",
"ssm:GetParameters"
],
Effect: "Allow",
Resource: [
"arn:aws:ssm:*:336837717482:parameter/aws/*",
"arn:aws:ssm:*::parameter/aws/*"
],
Sid: "eksSsmParameterAccess"
},
{
Action: [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:GetRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:GetOpenIDConnectProvider",
"iam:CreateOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"iam:ListAttachedRolePolicies",
"iam:TagRole"
],
Effect: "Allow",
Resource: [
"arn:aws:iam::336837717482:instance-profile/eksctl-*",
"arn:aws:iam::336837717482:role/eksctl-*",
"arn:aws:iam::336837717482:oidc-provider/*",
"arn:aws:iam::336837717482:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup",
"arn:aws:iam::336837717482:role/eksctl-managed-*"
],
Sid: "eksIamPermissions"
},
{
Action: [
"kinesis:*"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "KinesisFullPermissions"
},
{
Action: [
"states:*"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "StepfunctionPermissions"
},
{
Action: [
"secretsmanager:DescribeSecret",
"secretsmanager:Get*",
"secretsmanager:Create*",
"secretsmanager:Put*",
"secretsmanager:Update*",
"secretsmanager:List*",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
"secretsmanager:DeleteSecret"
],
Effect: "Allow",
Resource: [
"*"
],
Sid: "SecretsmanagerPermissions"
},
{
Action: [
"ecr-public:GetAuthorizationToken",
"sts:GetServiceBearerToken"
],
Effect: "Allow",
Resource: "*",
Sid: "loadPublicEcr"
}
]
})
}
}Editor is loading...
Leave a Comment